Windows Unprivileged - What Account Should One Use?
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril!
Just as a quick overview, here comes a table showing you which account or account type I think you should employ for different use cases. Note that this is highly subjective and very obviously not a recommended best practice by most enterprise software vendors.
| Subject | Client | Server | Terminal Server |
| Interactive logon (console or RDP) | Use a domain user account if in a domain. The primary user can be an administrator. UAC should be enabled and sudo configured. | Use a domain user account if in a domain. Domain users should not be administrators. Use local accounts when administrator rights are required. UAC should not be enabled. | You must use domain user accounts. If administrator rights are required (due to buggy applications, for example) isolate the application on one host and grant administrator rights to the domain user account. UAC should be disabled. |
| Scheduled tasks | Use Local Service or Network Service. In a domain you can use a managed service account. If administrator rights are needed (and this is not advisable for a scheduled task), grant administrator rights to the task sid (NT TASK\TaskName, see Scheduled Tasks). Do not run scheduled tasks with user accounts (unless they only run when the user is logged on). Do not run non-system scheduled tasks as LocalSystem. | Same as for client. | Do not run non-system scheduled tasks on terminal servers. |
| Services | Use a managed service account if in a domain, otherwise use a service sid (NT SERVICE\ServiceName). If the administrator rights are needed (and this not not advisable for a service), grant administrator rights to the service sid (ideally, see Privileged Services) or the managed service account. Do not run non-system services as LocalSystem. | Same as for client. | Do not run non-system services on a terminal server. |
| Login via ssh | Use a domain user account if in a domain. Note that UAC does likely not apply to ssh logins. | Use a domain user account if in a domain. Use a local user account for administrator access. | Do not use a terminal server as ssh host. |
| All cases | Consider using JEA to grant permissions to specific commands. | Same as for client. | Not very applicable. |
Next: TBD